Revision as of 16:08, 17 January 2012

Contents

Feature Name

Change several dangerous domains to use PrivateTmp in their unit file.

Summary

Run some services started by systemd with a private /tmp directory. This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would
not have access to the services /tmp directory.

Owner

Current status

Targeted release: [Fedora 17]

Last updated: Tue Jan 17 2012

Percentage of completion: 75%

Detailed Description

It seems to be a weekly occurrence of a new CVE for some app that uses
/tmp insecurely.

Privileged services should stop using /tmp and /var/tmp. These services can potentially be
interfered by unprivileged users, potentially leading to process escalation. The only server
applications that need to use /tmp should be for communicating with users. For example the X server, and
potentially apps that use kerberos for example sssd and nfs.gssd. (Although maybe at some point we need to
fix this.) Most apps that rely on using /tmp to communicate with the user can be easily broken
by users having individual /tmp using pam_namespace.

systemd as of Fedora 16 has the ability to run system services with private /tmp and /var/tmp. I would like to propose that we make this the default in Fedora 17, or at least open a bugzilla on all system services that we know of that use /tmp and /var/tmp to make them use private /tmp and /var/tmp.

Note. systemd in Fedora 16 is currently broken. This feature requires systemd-38

Benefit to Fedora

Fedora systems would be more secure, and mitigated against /tmp privilege escalation.

Scope

This bugzilla is a blocker on all services that need to change their service unit file to include PrivateTmp=True